CISA Catalogs Microsoft Windows Print Spooler Flaw Exploited by APT28
April 25, 2024
The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. has recently incorporated the Microsoft Windows Print Spooler Privilege Escalation vulnerability, known as CVE-2022-38028, into its Known Exploited Vulnerabilities (KEV) catalog. The decision followed Microsoft's revelation that the Russia-affiliated APT28 group, also known as 'Forest Blizzard', 'Fancybear', or 'Strontium', had exploited this flaw. The group utilized a hitherto unknown tool, called GooseEgg, to exploit the CVE-2022-38028 vulnerability.
According to reports, the cyberespionage group has been leveraging the GooseEgg tool for exploitation since at least June 2020, or possibly even earlier. The tool works by altering a JavaScript constraints file and running it with SYSTEM-level permissions. APT28 has reportedly used GooseEgg in post-compromise activities against a diverse range of targets, including organizations in the government, non-governmental, education, and transportation sectors in Ukraine, Western Europe, and North America.
Despite its simplicity as a launcher application, GooseEgg has been used by threat actors to run other applications with elevated permissions as specified at the command line. In a post-exploitation scenario, this tool can be used by attackers to carry out a wide spectrum of malicious activities, including remote code execution, backdoor installation, and lateral movement through compromised networks.
The U.S. National Security Agency reported the CVE-2022-38028 vulnerability, which Microsoft addressed in the Microsoft October 2022 Patch Tuesday security updates. APT28 has used GooseEgg to secure elevated access to target systems and exfiltrate credentials and sensitive data.
In accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies must remediate the identified vulnerabilities by the stipulated deadline to safeguard their networks against attacks exploiting the cataloged flaws. Experts also advise private organizations to examine the Catalog and rectify the vulnerabilities in their infrastructure. CISA has issued a directive for federal agencies to remedy this vulnerability by May 14, 2024.
Related News
Latest News
- Government Networks Worldwide Breached by ArcaneDoor Hackers Exploiting Cisco Zero-Days
- Urgent Call to Update: Exploited Zero-Day Vulnerability in CrushFTP Cloud Targets US Organizations
- Google Fixes Severe Chrome Vulnerability, CVE-2024-4058
- Microsoft Retracts Solution for Outlook Bug Causing False Security Alerts
- Siemens Developing Solution for Device Impacted by Palo Alto Firewall Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.